With Internet use forming an ever greater part of day to day life, malicious software—often called “malware”—that steals or destroys system resources, data, and private information is an increasing problem. Governments and businesses devote significant resources to preventing intrusions by malware. Malware comes in many forms, such as computer viruses, worms, trojan horses, spyware, keystroke loggers, adware, and rootkits. Some of the threats posed by malware are of such significance that they are described as cyber terrorism or industrial espionage.
A current approach to counter these threats includes using a security agent that executes locally on a client computing device and interacts with a remote security system in “the Cloud.” The locally-executed security agent may observe events that occur on the computing device, and may analyze those events to determine whether the events alone, or in combination, indicate malicious activity. One example type of event that can be observed in this context is what is known as a “process creation” event. A process creation event occurs any time a process is created, such as a process used to execute a program on the computing device. The security agent can observe and analyze such events, as they occur on the computing device, and when malicious activity is detected, the security agent itself can take action designed to counter the malicious activity, and/or the security agent can send those events to the remote security system for further analysis and/or action.
In addition, the security agent can proactively send observed events to the remote security system without analyzing the events at the client computing device. This may be desirable, for example, in order to minimize resource utilization on the client system while leveraging the high compute power of the remote security system, which may execute security software in the Cloud to detect malicious activity based on the received events, and possibly take some action to counter the malicious activity. However, proactively sending every single event observed on the client system to the remote security system comes at a high cost in terms of the amount of data that is transmitted, indexed, and/or stored during the process. Furthermore, events that occur at a relatively high frequency on client systems often contain a high volume of redundant data. For example, a process executing on a client computing device may get caught in a loop where the process spawns, or creates, many sub-processes that share common properties. Considering the fact that this may occur across many client systems that are proactively sending observed events to the remote security system, a significant amount of resources may be tied up in transmitting, indexing, and/or storing redundant data, which is wasteful and unnecessary for the purpose of ensuring adequate security of the client systems.